How long must invoices be kept? When can job applications be deleted? What happens to log files after two years? A.5.33 requires that records are protected and retained or deleted according to defined periods. The records retention schedule documents these periods in one central place.
What does it contain?
The template captures the relevant retention information for each document type:
- Document type / category — what kind of record? (e.g. invoices, employment contracts, audit reports, log files)
- Retention period — how long is it kept? (e.g. 10 years, 6 years, until project closure + 1 year)
- Legal basis — where does the period come from? (e.g. tax law, GDPR Art. 17, internal policy)
- Period start — when does the clock start? (e.g. end of fiscal year, contract termination, creation date)
- Storage location — where is it kept? (e.g. DMS, archive server, physical archive)
- Deletion procedure — how is it deleted? (e.g. automated DMS deletion, secure destruction, overwriting)
- Responsible person — who ensures the period and deletion are observed?
How to use the template
1. Inventory document types. Work systematically: financial documents, HR documents, contracts, ISMS records (audit reports, risk assessments, management review minutes), IT operations data (log files, backup media), communication (emails, correspondence).
2. Research legal periods. For each document type: is there a statutory retention obligation? Sources vary by jurisdiction — tax law, commercial law, sector-specific regulations. For personal data, additionally check GDPR purpose limitation.
3. Set operational periods. Where no statutory period exists, a business decision is needed. How long are project files kept? Log files? Internal correspondence? The answer should weigh information value against storage cost.
4. Define deletion procedures. For each document type: how is deletion performed after the period expires? Automated DMS deletion, manual review and approval, secure physical destruction? The procedure must match the classification of the information.
5. Review annually. New document types emerge, legal periods change, storage systems are migrated. The retention schedule must be checked for currency at least once a year.
| ID | Datenkategorie | Beschreibung | Eigentümer | Speicherort | Format | Aufbewahrungsfrist | Rechtsgrundlage / Quelle | Entsorgungsmethode | Anmerkungen |
|---|---|---|---|---|---|---|---|---|---|
| RET-001 | Kundenverträge | Unterzeichnete Rahmenverträge und Auftragsbestätigungen | Legal | M365 SharePoint | Digital | 10 Jahre nach Vertragsende | § 257 HGB + zivilrechtliche Verjährung | Kryptografisches Löschen | |
| RET-002 | Lieferantenverträge | Unterzeichnete Lieferantenverträge + AVV | Einkauf | M365 SharePoint | Digital | 10 Jahre nach Vertragsende | § 257 HGB | Kryptografisches Löschen | |
| RET-003 | Ausgangsrechnungen | Kundenrechnungen | Finanzen | ERP + Archiv | Digital | 10 Jahre | § 147 AO + § 257 HGB | ERP-Archiv-Bereinigung | Steuerrechtliche Pflicht |
| RET-004 | Eingangsrechnungen | Lieferantenrechnungen | Finanzen | ERP + Archiv | Digital | 10 Jahre | § 147 AO + § 257 HGB | ERP-Archiv-Bereinigung | |
| RET-005 | Buchhaltungsunterlagen | Hauptbuch Journale Jahresabschlüsse | Finanzen | ERP + Archiv | Digital | 10 Jahre | § 147 AO + § 257 HGB | ERP-Archiv-Bereinigung | |
| RET-006 | Lohnunterlagen | Monatliche Lohnabrechnungen | HR | Personio + sicheres Archiv | Digital | 10 Jahre | § 41 EStG + Sozialversicherungsrecht | Anbieter-Bereinigung + lokale Löschung | |
| RET-007 | Personalakten (aktiv) | Arbeitsvertrag Qualifikationen Beurteilungen | HR | Personio | Digital | Während Beschäftigung + 3 Jahre nach Austritt | § 195 BGB + Arbeitgeberpflichten | Anbieter-Bereinigung | |
| RET-008 | Bewerbungen (abgelehnt) | Lebensläufe Anschreiben Interviewnotizen | HR | Personio Bewerbermanagement | Digital | 6 Monate nach Absage | § 15 AGG + DSGVO Art. 5(1)(e) | Automatisierte Bereinigung | Länger nur mit Einwilligung |
| RET-009 | Background-Screening-Ergebnisse | Vor-Einstellungs-Prüfungen | HR | Verschlüsseltes HR-Archiv | Digital | Beschäftigungsdauer + 6 Monate | § 26 BDSG | Anbieter-Bereinigung | |
| RET-010 | Kunden-Stammdaten | Konteninformationen Kontaktdaten | Vertrieb | CRM + Kunden-DB | Digital | 10 Jahre nach letzter Geschäftstätigkeit | Vertraglich + § 147 AO | Soft Delete + 30-Tage-Bereinigung | |
| RET-011 | Kunden-Transaktionsdaten (Sendungen) | Sendungsdaten Tracking-Historie | Operations | Logistikportal + DWH | Digital | 3 Jahre nach Zustellung | Operativ + Verjährung | Automatisierte Archiv-Bereinigung | |
| RET-012 | Marketing-Einwilligungen | Newsletter-Anmeldungen Marketing-Opt-ins | Marketing | Marketing-Automation-Tool | Digital | Bis Widerruf + 3 Jahre | DSGVO Art. 5 + 7 + Art. 17 | Automatisierte Bereinigung | |
| RET-013 | Verzeichnis von Verarbeitungstätigkeiten | DSGVO Art. 30 Register | DSB | DSMS-Tool | Digital | Fortlaufend + 3 Jahre nach Verarbeitungsende | DSGVO Art. 30 | Manuell | |
| RET-014 | Betroffenenanfragen | SAR-Datensätze Löschanträge Widersprüche | DSB | DSMS-Tool | Digital | 3 Jahre nach Abschluss | DSGVO-Rechenschaftspflicht + § 195 BGB | Manuell | |
| RET-015 | Datenschutzverletzungs-Aufzeichnungen | Breach-Meldungen interne Untersuchungen | DSB | DSMS-Tool | Digital | 5 Jahre nach Abschluss | DSGVO Art. 33(5) | Manuell | |
| RET-016 | DSFAs | Datenschutz-Folgenabschätzungen | DSB | DSMS-Tool | Digital | Lebensdauer der Verarbeitung + 3 Jahre | DSGVO Art. 35 | Manuell | |
| RET-017 | Informationssicherheits-Vorfallsdaten | Vorfalltickets Untersuchungen Beweise | ISB | SIEM + Ticketsystem | Digital | 5 Jahre nach Abschluss | A.5.27 + ISO 27001 9.1 | Automatisierte Archiv-Bereinigung | Länger bei forensischen Beweisen |
| RET-018 | Interne Audit-Berichte | Auditpläne Berichte CAPAs | ISB | Dokumentensystem | Digital | 5 Jahre | ISO 27001 7.5 + 9.2 | Manuell | |
| RET-019 | Management-Review-Protokolle | Management-Review-Aufzeichnungen | ISB | Dokumentensystem | Digital | 5 Jahre | ISO 27001 7.5 + 9.3 | Manuell | |
| RET-020 | Risikoregister- und SoA-Historie | Risikobeurteilungen Behandlungspläne SoA-Versionen | ISB | Dokumentensystem | Digital | 5 Jahre je Version | ISO 27001 6.1 + 7.5 | Manuell | |
| RET-021 | Awareness-Schulungsnachweise | Abschlusszertifikate Teilnehmerlisten | HR | LMS | Digital | 3 Jahre | A.6.3 + Auditnachweis | Automatisierte Bereinigung | |
| RET-022 | Zugriffslogs (System) | Authentifizierungslogs Admin-Aktionen | IT-Betrieb | SIEM | Digital | 12 Monate online + 12 Monate Cold Storage | A.8.15 + § 100 TKG (wo anwendbar) | Automatisierte Rotation | Länger bei aktiver Untersuchung |
| RET-023 | Videoüberwachung | Gebäudezugang Überwachung | Facility | On-Prem NVR | Digital | 72 Stunden | § 4 BDSG + Betriebsvereinbarung | Automatisches Überschreiben | |
| RET-024 | Besucherlisten | Anmeldedaten am Empfang | Facility | Besuchermanagementsystem | Digital | 3 Monate | § 26 BDSG | Manuelle Bereinigung | |
| RET-025 | Penetrationstest-Berichte | Externe Pentest-Berichte Remediation-Tracking | ISB | Verschlüsseltes Dokumentensystem | Digital | 5 Jahre | Auditnachweis | Manuell | |
| RET-026 | Backup-Daten | Backup-Snapshots | IT-Betrieb | Backup-System | Digital | Gemäß System-Aufbewahrungsrichtlinie (typisch 30-90 Tage) | Operativ | Automatisierte Rotation | |
| RET-027 | E-Mail-Archiv | Geschäfts-E-Mail | IT-Betrieb | M365 + Veeam | Digital | 10 Jahre (sofern steuerrelevante Inhalte) | § 147 AO | Automatisierte Archiv-Bereinigung |
| ID | Record Category | Description | Owner | Storage Location | Format | Retention Period | Legal Basis / Source | Disposal Method | Notes |
|---|---|---|---|---|---|---|---|---|---|
| RET-001 | Customer contracts | Signed master agreements and order forms | Legal | M365 SharePoint | Digital | 10 years after contract end | § 257 HGB + civil law statute of limitations | Cryptographic erase | |
| RET-002 | Supplier contracts | Signed supplier agreements + DPAs | Procurement | M365 SharePoint | Digital | 10 years after contract end | § 257 HGB | Cryptographic erase | |
| RET-003 | Invoices outgoing | Customer invoices | Finance | ERP + archive | Digital | 10 years | § 147 AO + § 257 HGB | ERP archive purge | Tax law mandatory |
| RET-004 | Invoices incoming | Supplier invoices | Finance | ERP + archive | Digital | 10 years | § 147 AO + § 257 HGB | ERP archive purge | |
| RET-005 | Accounting records | General ledger journals annual statements | Finance | ERP + archive | Digital | 10 years | § 147 AO + § 257 HGB | ERP archive purge | |
| RET-006 | Payroll records | Monthly payroll runs | HR | Personio + secure archive | Digital | 10 years | § 41 EStG + social security law | Vendor purge + local erase | |
| RET-007 | Employee personnel files (active) | Employment contract qualifications appraisals | HR | Personio | Digital | During employment + 3 years after leaving | § 195 BGB + employer obligations | Vendor purge | |
| RET-008 | Job applications (rejected) | CVs cover letters interview notes | HR | Personio applicant tracking | Digital | 6 months after rejection | § 15 AGG + GDPR Art. 5(1)(e) | Automated purge | Longer only with consent |
| RET-009 | Background screening results | Pre-employment checks | HR | Encrypted HR archive | Digital | Duration of employment + 6 months | § 26 BDSG | Vendor purge | |
| RET-010 | Customer master data | Account records contact details | Sales | CRM + customer DB | Digital | 10 years after last business activity | Contractual + § 147 AO | Soft delete + 30 day purge | |
| RET-011 | Customer transactional data (shipments) | Shipment records tracking history | Operations | Logistics portal + DWH | Digital | 3 years after delivery | Operational + statute of limitations | Automated archive purge | |
| RET-012 | Marketing consent records | Newsletter consents marketing opt-ins | Marketing | Marketing automation tool | Digital | Until withdrawal + 3 years | GDPR Art. 5 + 7 + Art. 17 | Automated purge | |
| RET-013 | Records of processing activities (RoPA) | GDPR Art. 30 register | DPO | DSMS tool | Digital | Continuous + 3 years after processing ends | GDPR Art. 30 | Manual | |
| RET-014 | Data subject requests | SAR records erasure requests objections | DPO | DSMS tool | Digital | 3 years after closure | GDPR accountability + § 195 BGB | Manual | |
| RET-015 | Personal data breach records | Breach notifications internal investigations | DPO | DSMS tool | Digital | 5 years after closure | GDPR Art. 33(5) | Manual | |
| RET-016 | DPIAs | Data protection impact assessments | DPO | DSMS tool | Digital | Lifetime of processing + 3 years | GDPR Art. 35 | Manual | |
| RET-017 | Information security incident records | Incident tickets investigations evidence | ISO | SIEM + ticket system | Digital | 5 years after closure | A.5.27 + ISO 27001 9.1 | Automated archive purge | Longer if forensic evidence |
| RET-018 | Internal audit reports | Audit plans reports CAPAs | ISO | Document system | Digital | 5 years | ISO 27001 7.5 + 9.2 | Manual | |
| RET-019 | Management review minutes | Management review records | ISO | Document system | Digital | 5 years | ISO 27001 7.5 + 9.3 | Manual | |
| RET-020 | Risk register and SoA history | Risk assessments treatment plans SoA versions | ISO | Document system | Digital | 5 years per version | ISO 27001 6.1 + 7.5 | Manual | |
| RET-021 | Awareness training records | Completion certificates attendance lists | HR | LMS | Digital | 3 years | A.6.3 + audit evidence | Automated purge | |
| RET-022 | Access logs (system) | Authentication logs admin actions | IT Operations | SIEM | Digital | 12 months online + 12 months cold storage | A.8.15 + § 100 TKG (where applicable) | Automated rotation | Longer if active investigation |
| RET-023 | CCTV footage | Building entry monitoring | Facilities | On-prem NVR | Digital | 72 hours | § 4 BDSG + works council agreement | Automated overwrite | |
| RET-024 | Visitor logs | Sign-in records at reception | Facilities | Visitor management system | Digital | 3 months | § 26 BDSG | Manual purge | |
| RET-025 | Penetration test reports | External pentest reports remediation tracking | ISO | Encrypted document system | Digital | 5 years | Audit evidence | Manual | |
| RET-026 | Backup data | Backup snapshots | IT Operations | Backup system | Digital | Per system retention policy (typically 30-90 days) | Operational | Automated rotation | |
| RET-027 | Email archive | Business email | IT Operations | M365 + Veeam | Digital | 10 years (where containing tax-relevant content) | § 147 AO | Automated archive purge |
Sources
- ISO/IEC 27001:2022 A.5.33 — Protection of records
- GDPR Art. 5(1)(e) — Storage limitation